What happened?

In mid-December 2013, we learned criminals forced their way into our system, gaining access to guest credit and debit card information. As the investigation continued, it was determined that certain guest information was also taken. The information included names, mailing addresses, email addresses or phone numbers. We have partnered with a leading third-party forensics firm who is thoroughly investigating the breach.

Do you think you will find anything else?

How could Target let all this credit and debit card information get accessed?

This unauthorized access is a crime, and we are taking it very seriously. While we can’t provide specifics because the investigation is ongoing, we are working closely with the United States Secret Service and the Department of Justice to bring those responsible to justice.

How can I be assured you are taking the steps to protect my information in the future?

We are committed to making this right and are investing in the internal processes and systems needed to reduce the likelihood that this ever happens again. For example, we are accelerating our plans to put chip-enabled technology in our stores and on our Target REDcards by early 2015, six months ahead of our previous plan. You can learn more about our investment in smartcards here.

When did Target learn that certain guest information was taken? Was there another breach?

This information was discovered as part of the ongoing investigation. This theft is not a new breach. This development was uncovered in the course of the ongoing investigation. When we discovered the breach on December 15, 2013, we moved swiftly to close the access point that criminals used and removed the malware they left behind.

Why was Target collecting and holding this type of information?

If I believe that my credit or debit card information was impacted, does that automatically mean additional information was stolen as well?

This is not a new breach. There may be some duplication of guests between this development and those impacted by the credit and debit card data. However, the payment card data and this information were not linked.

What does it mean if my information was stolen? What are the risks?

Because this is generally publicly available information, the primary risk is increased exposure to consumer scams, such as phishing, web scams and social engineering. We want to help our guests protect themselves by providing information and resources about these scams. For helpful tips and more information, see the Frequently Asked Questions provided on scams below, or visit A Bullseye View.

How do I know if my credit or debit card was impacted?

If you shopped at Target between Nov. 27 and Dec. 15, 2013, you should keep a close eye for any suspicious or unusual activity on any credit or debit card accounts that you used while shopping during that time.

How many credit or debit cards were impacted?

Since I shopped at Target between Nov. 27 and Dec. 15, 2013, does that mean my card has been used fraudulently?

No. Just because you shopped at our stores during that timeframe does not mean your card has been used for fraud. You should continue to closely monitor your credit or debit card account information and immediately report any fraudulent or suspicious activity.

Should I call Target to see if my credit or debit cards were affected?

You don’t need to call us unless you believe there are suspicious charges to your Target REDcard. Target already has fraud alerts in place and is actively monitoring REDcard accounts that may have been impacted.

The banks that issue non-Target credit and debit cards also have been notified and have similar processes in place. You too, should keep a close watch on your account by reviewing your credit or debit card statements.

You should call your card’s issuing bank if you discover any suspicious, unusual or fraudulent activity.

Will my card’s financial institution be able to tell me if I was impacted?

Target shared the impacted credit and debit card information with the processors, who in turn, shared with the issuing banks. You should continue to closely monitor your credit or debit card account information and immediately report any fraudulent or suspicious activity by calling the number on the back of your card. One recommended safety precaution is to change the PIN number on your debit card.

If you decide to change your PIN number on your Target REDcard debit card, go to Target.com/RCAM.

If I used my credit or debit card at Target.com or in Canada between Nov. 27 and Dec. 15, 2013, should I be concerned?

I heard that CVV information was impacted. Is the CVV code the same as the three-digit security code on the back of my card?

There are two types of CVV data: CVV, which is encoded on the magnetic stripe and CVV2, which is the three or four digit value that is printed on the back or front of your card. We have determined that this breach impacted CVV information. At this time, we have no indication that CVV2 data was compromised; and therefore, no indication that the three- and four-digit security codes are impacted.

Will I be held liable for fraudulent charges on my card?

What impact did the breach have on PIN numbers?

On Dec. 27, 2013, we were able to confirm, through additional forensic work, that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

Why does Target think PIN data can’t be compromised?

Due to how the encryption process works, Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.

Should I change my PIN?

We remain confident that PIN numbers are safe and secure. If you would prefer to update your PIN, you can manage your REDcard PIN by logging on to your Target REDcard account at Target.com/RCAM or contacting your bank.

How do I know that emails and information I receive are actually from Target?

We have posted copies of our email communication related to this breach incident to Target.com/databreach within the “official documents & communication” section, so you can compare any emails you receive to official copies of the emails that Target has distributed.

I know there are scams that are going on. What is Target doing to deal with consumer scams arising from the incident?

We are aware of some scams concerning phishing in the form of e-mails, text, fake websites and phone calls designed to steal personal information from our guests in the wake of the recent data breach. We have posted tips on how to avoid these scams, and are also working with partners, including Facebook and Twitter, to help shut down fraudulent websites and scams intended to exploit Target guests. We have helped take down more than a dozen consumer scams to date.

What kind of scams do I need to watch out for?

Following an event like a data breach, it’s common to see fraudsters use emails, texts, phone calls and fake websites to try to steal your personal information.

Social Engineering: Using fraud or deception to manipulate people into performing actions or divulging information that they would normally not share.

Social Engineer: A scam artist who contacts individuals via phone, email, text message or even in person to gather information for the purposes of fraud, data system access, identity theft and more.

Phishing: A social engineer uses a fake email to trick recipients into giving up credit card information, passwords or other sensitive information. The email may appear to come from a trusted source, such as a reputable company or bank, and often includes personal details so it appears the sender knows you.

Smishing: Similar to Phishing (see above), a social engineer sends a fake Short Message Service (SMS) text message to your cell phone, announcing that you’ve won a prize or offer from a trusted company or bank if you follow a link to a website and enter a code. Clicking the link can expose your phone to malware.

Pretexting: When a social engineer impersonates someone with authority and creates a fake scenario to trick unsuspecting individuals into sharing private or sensitive information.

What are some things I can do to avoid social engineering scams?

Never give out private or personal information, including financial details, unless you can verify the identity of the person or organization contacting you.

Don’t respond to texts or emails coming from a contact you don't recognize, and don’t click on links. Instead, if you need to check on your account, type the site address you want visit into your browser and securely log into your account.

Don’t send money to strangers; scam artists often insist that you wire money, especially overseas, because it’s difficult to trace the transaction.

Keep an eye on your monthly statements. If your account information is stolen, fraudsters can use it to charge purchases or commit crimes in your name. Watch for unusual charges such as “membership fees” and other goods or services you didn’t authorize. If you see a charge you don’t recognize, contact your account provider immediately.

Can I still use my credit or debit card or should I call to get a new one?

Yes, you can continue to use your card.

You should continue to closely monitor your credit or debit card account information and immediately report any fraudulent or suspicious activity by calling the number on the back of your card. As an additional precaution, you may want to change your PIN number on your Target REDcard debit card. You can do this by logging in to Target.com/RCAM.

How can I check the recent transactions on my account?

I want to get a new credit card. Can Target help with this?

Target can help with REDcard credit or debit cards only. We do not have access to other financial institutions' credit or debit card account information. If you have a non-Target credit or debit card, then specific concerns about your account can be addressed by calling the number on the back of your card.

If I close my account, can I reopen it later?

A Target REDcard account that is closed cannot be reopened, but you can apply for a new account. Please be aware that you must wait at least a day after closing your REDcard account to reapply. New accounts are subject to current terms and conditions, which may not be the same as your closed account. If you have a non-Target credit or debit card, questions about your account can be addressed by calling the number on the back of your card.

How do I add an alert to my REDcard credit card?

REDcard credit cardholders can set up alerts through Manage My REDcard so they can be informed every time their card is used. On Target.com, click on “Manage my REDcard” at the bottom of the page. Sign in to Manage My REDcard with your username and password. Under Settings, click “Set Alerts” on the left hand navigation menu. Select your alert and delivery preferences. Click “Save” and you’re ready to receive alerts.

Is it true that Target offered free credit monitoring and can I still take advantage of the offer?

Earlier this year, Target offered one year of free credit monitoring to all guests who shopped our U.S. stores. The free enrollment period was from January 2014 until April 30, 2014. (To be eligible, guests must have registered to receive an activation code by April 23, 2014.

Who did Target select as the credit monitoring service provider?

Target chose ProtectMyID, provided by Experian—a leading global information services company that helps individuals understand and keep track of their credit reports, as well as monitor for and resolve identity theft.

What was offered as part of the credit monitoring/ProtectMyID?

Credit Report: Registrants received a free copy of their Experian credit report. If they enrolled online, their report was available online for 30 days.

Daily Credit Monitoring: Registrants were eligible to receive alerts for one year that reflect changes to their Experian credit report during their membership term. This included new inquiries, newly opened accounts, new derogatory information (such as delinquencies or medical collections) and more.

Identity Theft Resolution: If confirmed that registrants have been the victim of identity theft, they will be assigned a dedicated, U.S.-based Experian Fraud Resolution Agent who will walk them through the fraud resolution process—and remain available to answer questions—from start to finish.

Identity Theft Insurance: If registrants have been a victim of identity theft relating to this incident, they will immediately be covered by a $1 million insurance policy that can help cover certain costs, including lost wages, private investigator fees, and unauthorized electronic fund transfers for one year.

ProtectMyID ExtendCARE: Access to personalized assistance from a highly-trained Fraud Resolution Agent will continue even after the initial one year ProtectMyID membership expires.

Will Target issue new credit and debit cards?

Will I have to use a chip-and-PIN card to shop at Target in the future?

No. We will continue to accept both standard magnetic strip credit cards and chip-and-PIN cards. We are adopting chip-and-PIN technology as another layer of protection so guest can shop with confidence that their personal data is secure.

What is your relationship with MasterCard?

Does this mean my current Visa card is not safe?

We have taken significant measures to secure our guests’ personal data, no matter which payment option they use. We are adopting chip-and-PIN technology as another layer of protection so guest can shop with even greater confidence that their personal data is secure.